@push.rocks/smartregistry 2.6.0 → 2.8.1

package/ts/oci/classes.ociregistry.ts

@@ -2,8 +2,9 @@ import { Smartlog } from '@push.rocks/smartlog';
 import { BaseRegistry } from '../core/classes.baseregistry.js';
 import { RegistryStorage } from '../core/classes.registrystorage.js';
 import { AuthManager } from '../core/classes.authmanager.js';
-import type { IRequestContext, IResponse, IAuthToken, IRegistryError } from '../core/interfaces.core.js';
-import type { IProtocolUpstreamConfig } from '../upstream/interfaces.upstream.js';
+import type { IRequestContext, IResponse, IAuthToken, IRegistryError, IRequestActor } from '../core/interfaces.core.js';
+import { createHashTransform, streamToBuffer } from '../core/helpers.stream.js';
+import type { IUpstreamProvider } from '../upstream/interfaces.upstream.js';
 import { OciUpstream } from './classes.ociupstream.js';
 import type {
   IUploadSession,
@@ -24,7 +25,7 @@ export class OciRegistry extends BaseRegistry {
   private basePath: string = '/oci';
   private cleanupInterval?: NodeJS.Timeout;
   private ociTokens?: { realm: string; service: string };
-  private upstream: OciUpstream | null = null;
+  private upstreamProvider: IUpstreamProvider | null = null;
   private logger: Smartlog;
 
   constructor(
@@ -32,13 +33,14 @@ export class OciRegistry extends BaseRegistry {
     authManager: AuthManager,
     basePath: string = '/oci',
     ociTokens?: { realm: string; service: string },
-    upstreamConfig?: IProtocolUpstreamConfig
+    upstreamProvider?: IUpstreamProvider
   ) {
     super();
     this.storage = storage;
     this.authManager = authManager;
     this.basePath = basePath;
     this.ociTokens = ociTokens;
+    this.upstreamProvider = upstreamProvider || null;
 
     // Initialize logger
     this.logger = new Smartlog({
@@ -53,15 +55,50 @@ export class OciRegistry extends BaseRegistry {
     });
     this.logger.enableConsole();
 
-    // Initialize upstream if configured
-    if (upstreamConfig?.enabled) {
-      this.upstream = new OciUpstream(upstreamConfig, basePath, this.logger);
-      this.logger.log('info', 'OCI upstream initialized', {
-        upstreams: upstreamConfig.upstreams.map(u => u.name),
-      });
+    if (upstreamProvider) {
+      this.logger.log('info', 'OCI upstream provider configured');
     }
   }
 
+  /**
+   * Extract scope from OCI repository name.
+   * @example "myorg/myimage" -> "myorg"
+   * @example "library/nginx" -> "library"
+   * @example "nginx" -> null
+   */
+  private extractScope(repository: string): string | null {
+    const slashIndex = repository.indexOf('/');
+    if (slashIndex > 0) {
+      return repository.substring(0, slashIndex);
+    }
+    return null;
+  }
+
+  /**
+   * Get upstream for a specific request.
+   * Calls the provider to resolve upstream config dynamically.
+   */
+  private async getUpstreamForRequest(
+    resource: string,
+    resourceType: string,
+    method: string,
+    actor?: IRequestActor
+  ): Promise<OciUpstream | null> {
+    if (!this.upstreamProvider) return null;
+
+    const config = await this.upstreamProvider.resolveUpstreamConfig({
+      protocol: 'oci',
+      resource,
+      scope: this.extractScope(resource),
+      actor,
+      method,
+      resourceType,
+    });
+
+    if (!config?.enabled) return null;
+    return new OciUpstream(config, this.basePath, this.logger);
+  }
+
   public async init(): Promise<void> {
     // Start cleanup of stale upload sessions
     this.startUploadSessionCleanup();
@@ -80,29 +117,38 @@ export class OciRegistry extends BaseRegistry {
     const tokenString = authHeader?.replace(/^Bearer\s+/i, '');
     const token = tokenString ? await this.authManager.validateToken(tokenString, 'oci') : null;
 
+    // Build actor from context and validated token
+    const actor: IRequestActor = {
+      ...context.actor,
+      userId: token?.userId,
+      ip: context.headers['x-forwarded-for'] || context.headers['X-Forwarded-For'],
+      userAgent: context.headers['user-agent'] || context.headers['User-Agent'],
+    };
+
     // Route to appropriate handler
-    if (path === '/v2/' || path === '/v2') {
+    // OCI spec: GET /v2/ is the version check endpoint
+    if (path === '/' || path === '' || path === '/v2/' || path === '/v2') {
       return this.handleVersionCheck();
     }
 
-    // Manifest operations: /v2/{name}/manifests/{reference}
-    const manifestMatch = path.match(/^\/v2\/([^\/]+(?:\/[^\/]+)*)\/manifests\/([^\/]+)$/);
+    // Manifest operations: /{name}/manifests/{reference}
+    const manifestMatch = path.match(/^\/([^\/]+(?:\/[^\/]+)*)\/manifests\/([^\/]+)$/);
     if (manifestMatch) {
       const [, name, reference] = manifestMatch;
       // Prefer rawBody for content-addressable operations to preserve exact bytes
       const bodyData = context.rawBody || context.body;
-      return this.handleManifestRequest(context.method, name, reference, token, bodyData, context.headers);
+      return this.handleManifestRequest(context.method, name, reference, token, bodyData, context.headers, actor);
     }
 
-    // Blob operations: /v2/{name}/blobs/{digest}
-    const blobMatch = path.match(/^\/v2\/([^\/]+(?:\/[^\/]+)*)\/blobs\/(sha256:[a-f0-9]{64})$/);
+    // Blob operations: /{name}/blobs/{digest}
+    const blobMatch = path.match(/^\/([^\/]+(?:\/[^\/]+)*)\/blobs\/(sha256:[a-f0-9]{64})$/);
     if (blobMatch) {
       const [, name, digest] = blobMatch;
-      return this.handleBlobRequest(context.method, name, digest, token, context.headers);
+      return this.handleBlobRequest(context.method, name, digest, token, context.headers, actor);
     }
 
-    // Blob upload operations: /v2/{name}/blobs/uploads/
-    const uploadInitMatch = path.match(/^\/v2\/([^\/]+(?:\/[^\/]+)*)\/blobs\/uploads\/?$/);
+    // Blob upload operations: /{name}/blobs/uploads/
+    const uploadInitMatch = path.match(/^\/([^\/]+(?:\/[^\/]+)*)\/blobs\/uploads\/?$/);
     if (uploadInitMatch && context.method === 'POST') {
       const [, name] = uploadInitMatch;
       // Prefer rawBody for content-addressable operations to preserve exact bytes
@@ -110,22 +156,22 @@ export class OciRegistry extends BaseRegistry {
       return this.handleUploadInit(name, token, context.query, bodyData);
     }
 
-    // Blob upload operations: /v2/{name}/blobs/uploads/{uuid}
-    const uploadMatch = path.match(/^\/v2\/([^\/]+(?:\/[^\/]+)*)\/blobs\/uploads\/([^\/]+)$/);
+    // Blob upload operations: /{name}/blobs/uploads/{uuid}
+    const uploadMatch = path.match(/^\/([^\/]+(?:\/[^\/]+)*)\/blobs\/uploads\/([^\/]+)$/);
     if (uploadMatch) {
       const [, name, uploadId] = uploadMatch;
       return this.handleUploadSession(context.method, uploadId, token, context);
     }
 
-    // Tags list: /v2/{name}/tags/list
-    const tagsMatch = path.match(/^\/v2\/([^\/]+(?:\/[^\/]+)*)\/tags\/list$/);
+    // Tags list: /{name}/tags/list
+    const tagsMatch = path.match(/^\/([^\/]+(?:\/[^\/]+)*)\/tags\/list$/);
     if (tagsMatch) {
       const [, name] = tagsMatch;
       return this.handleTagsList(name, token, context.query);
     }
 
-    // Referrers: /v2/{name}/referrers/{digest}
-    const referrersMatch = path.match(/^\/v2\/([^\/]+(?:\/[^\/]+)*)\/referrers\/(sha256:[a-f0-9]{64})$/);
+    // Referrers: /{name}/referrers/{digest}
+    const referrersMatch = path.match(/^\/([^\/]+(?:\/[^\/]+)*)\/referrers\/(sha256:[a-f0-9]{64})$/);
     if (referrersMatch) {
       const [, name, digest] = referrersMatch;
       return this.handleReferrers(name, digest, token, context.query);
@@ -168,11 +214,12 @@ export class OciRegistry extends BaseRegistry {
     reference: string,
     token: IAuthToken | null,
     body?: Buffer | any,
-    headers?: Record<string, string>
+    headers?: Record<string, string>,
+    actor?: IRequestActor
   ): Promise<IResponse> {
     switch (method) {
       case 'GET':
-        return this.getManifest(repository, reference, token, headers);
+        return this.getManifest(repository, reference, token, headers, actor);
       case 'HEAD':
         return this.headManifest(repository, reference, token);
       case 'PUT':
@@ -193,11 +240,12 @@ export class OciRegistry extends BaseRegistry {
     repository: string,
     digest: string,
     token: IAuthToken | null,
-    headers: Record<string, string>
+    headers: Record<string, string>,
+    actor?: IRequestActor
   ): Promise<IResponse> {
     switch (method) {
       case 'GET':
-        return this.getBlob(repository, digest, token, headers['range'] || headers['Range']);
+        return this.getBlob(repository, digest, token, headers['range'] || headers['Range'], actor);
       case 'HEAD':
         return this.headBlob(repository, digest, token);
       case 'DELETE':
@@ -243,7 +291,7 @@ export class OciRegistry extends BaseRegistry {
       return {
         status: 201,
         headers: {
-          'Location': `${this.basePath}/v2/${repository}/blobs/${digest}`,
+          'Location': `${this.basePath}/${repository}/blobs/${digest}`,
           'Docker-Content-Digest': digest,
         },
         body: null,
@@ -256,6 +304,8 @@ export class OciRegistry extends BaseRegistry {
       uploadId,
       repository,
       chunks: [],
+      chunkPaths: [],
+      chunkIndex: 0,
       totalSize: 0,
       createdAt: new Date(),
       lastActivity: new Date(),
@@ -266,7 +316,7 @@ export class OciRegistry extends BaseRegistry {
     return {
       status: 202,
       headers: {
-        'Location': `${this.basePath}/v2/${repository}/blobs/uploads/${uploadId}`,
+        'Location': `${this.basePath}/${repository}/blobs/uploads/${uploadId}`,
         'Docker-Upload-UUID': uploadId,
       },
       body: null,
@@ -318,7 +368,8 @@ export class OciRegistry extends BaseRegistry {
     repository: string,
     reference: string,
     token: IAuthToken | null,
-    headers?: Record<string, string>
+    headers?: Record<string, string>,
+    actor?: IRequestActor
   ): Promise<IResponse> {
     if (!await this.checkPermission(token, repository, 'pull')) {
       return this.createUnauthorizedResponse(repository, 'pull');
@@ -346,30 +397,33 @@ export class OciRegistry extends BaseRegistry {
     }
 
     // If not found locally, try upstream
-    if (!manifestData && this.upstream) {
-      this.logger.log('debug', 'getManifest: fetching from upstream', { repository, reference });
-      const upstreamResult = await this.upstream.fetchManifest(repository, reference);
-      if (upstreamResult) {
-        manifestData = Buffer.from(JSON.stringify(upstreamResult.manifest), 'utf8');
-        contentType = upstreamResult.contentType;
-        digest = upstreamResult.digest;
-
-        // Cache the manifest locally
-        await this.storage.putOciManifest(repository, digest, manifestData, contentType);
-
-        // If reference is a tag, update tags mapping
-        if (!reference.startsWith('sha256:')) {
-          const tags = await this.getTagsData(repository);
-          tags[reference] = digest;
-          const tagsPath = `oci/tags/${repository}/tags.json`;
-          await this.storage.putObject(tagsPath, Buffer.from(JSON.stringify(tags), 'utf-8'));
+    if (!manifestData) {
+      const upstream = await this.getUpstreamForRequest(repository, 'manifest', 'GET', actor);
+      if (upstream) {
+        this.logger.log('debug', 'getManifest: fetching from upstream', { repository, reference });
+        const upstreamResult = await upstream.fetchManifest(repository, reference);
+        if (upstreamResult) {
+          manifestData = Buffer.from(JSON.stringify(upstreamResult.manifest), 'utf8');
+          contentType = upstreamResult.contentType;
+          digest = upstreamResult.digest;
+
+          // Cache the manifest locally
+          await this.storage.putOciManifest(repository, digest, manifestData, contentType);
+
+          // If reference is a tag, update tags mapping
+          if (!reference.startsWith('sha256:')) {
+            const tags = await this.getTagsData(repository);
+            tags[reference] = digest;
+            const tagsPath = `oci/tags/${repository}/tags.json`;
+            await this.storage.putObject(tagsPath, Buffer.from(JSON.stringify(tags), 'utf-8'));
+          }
+
+          this.logger.log('debug', 'getManifest: cached manifest locally', {
+            repository,
+            reference,
+            digest,
+          });
         }
-
-        this.logger.log('debug', 'getManifest: cached manifest locally', {
-          repository,
-          reference,
-          digest,
-        });
       }
     }
 
@@ -477,7 +531,7 @@ export class OciRegistry extends BaseRegistry {
     return {
       status: 201,
       headers: {
-        'Location': `${this.basePath}/v2/${repository}/manifests/${digest}`,
+        'Location': `${this.basePath}/${repository}/manifests/${digest}`,
         'Docker-Content-Digest': digest,
       },
       body: null,
@@ -514,19 +568,33 @@ export class OciRegistry extends BaseRegistry {
     repository: string,
     digest: string,
     token: IAuthToken | null,
-    range?: string
+    range?: string,
+    actor?: IRequestActor
   ): Promise<IResponse> {
     if (!await this.checkPermission(token, repository, 'pull')) {
       return this.createUnauthorizedResponse(repository, 'pull');
     }
 
-    // Try local storage first
-    let data = await this.storage.getOciBlob(digest);
+    // Try local storage first (streaming)
+    const streamResult = await this.storage.getOciBlobStream(digest);
+    if (streamResult) {
+      return {
+        status: 200,
+        headers: {
+          'Content-Type': 'application/octet-stream',
+          'Content-Length': streamResult.size.toString(),
+          'Docker-Content-Digest': digest,
+        },
+        body: streamResult.stream,
+      };
+    }
 
     // If not found locally, try upstream
-    if (!data && this.upstream) {
+    let data: Buffer | null = null;
+    const upstream = await this.getUpstreamForRequest(repository, 'blob', 'GET', actor);
+    if (upstream) {
       this.logger.log('debug', 'getBlob: fetching from upstream', { repository, digest });
-      const upstreamBlob = await this.upstream.fetchBlob(repository, digest);
+      const upstreamBlob = await upstream.fetchBlob(repository, digest);
       if (upstreamBlob) {
         data = upstreamBlob;
         // Cache the blob locally (blobs are content-addressable and immutable)
@@ -566,17 +634,15 @@ export class OciRegistry extends BaseRegistry {
       return this.createUnauthorizedHeadResponse(repository, 'pull');
     }
 
-    const exists = await this.storage.ociBlobExists(digest);
-    if (!exists) {
+    const blobSize = await this.storage.getOciBlobSize(digest);
+    if (blobSize === null) {
       return { status: 404, headers: {}, body: null };
     }
 
-    const blob = await this.storage.getOciBlob(digest);
-
     return {
       status: 200,
       headers: {
-        'Content-Length': blob ? blob.length.toString() : '0',
+        'Content-Length': blobSize.toString(),
         'Docker-Content-Digest': digest,
       },
       body: null,
@@ -616,14 +682,19 @@ export class OciRegistry extends BaseRegistry {
     }
 
     const chunkData = this.toBuffer(data);
-    session.chunks.push(chunkData);
+
+    // Write chunk to temp S3 object instead of accumulating in memory
+    const chunkPath = `oci/uploads/${uploadId}/chunk-${session.chunkIndex}`;
+    await this.storage.putObject(chunkPath, chunkData);
+    session.chunkPaths.push(chunkPath);
+    session.chunkIndex++;
     session.totalSize += chunkData.length;
     session.lastActivity = new Date();
 
     return {
       status: 202,
       headers: {
-        'Location': `${this.basePath}/v2/${session.repository}/blobs/uploads/${uploadId}`,
+        'Location': `${this.basePath}/${session.repository}/blobs/uploads/${uploadId}`,
         'Range': `0-${session.totalSize - 1}`,
         'Docker-Upload-UUID': uploadId,
       },
@@ -645,13 +716,52 @@ export class OciRegistry extends BaseRegistry {
       };
     }
 
-    const chunks = [...session.chunks];
-    if (finalData) chunks.push(this.toBuffer(finalData));
-    const blobData = Buffer.concat(chunks);
+    // If there's final data in the PUT body, write it as the last chunk
+    if (finalData) {
+      const buf = this.toBuffer(finalData);
+      const chunkPath = `oci/uploads/${uploadId}/chunk-${session.chunkIndex}`;
+      await this.storage.putObject(chunkPath, buf);
+      session.chunkPaths.push(chunkPath);
+      session.chunkIndex++;
+      session.totalSize += buf.length;
+    }
+
+    // Create a ReadableStream that assembles all chunks from S3 sequentially
+    const chunkPaths = [...session.chunkPaths];
+    const storage = this.storage;
+    let chunkIdx = 0;
+    const assembledStream = new ReadableStream<Uint8Array>({
+      async pull(controller) {
+        if (chunkIdx >= chunkPaths.length) {
+          controller.close();
+          return;
+        }
+        const result = await storage.getObjectStream(chunkPaths[chunkIdx++]);
+        if (result) {
+          const reader = result.stream.getReader();
+          while (true) {
+            const { done, value } = await reader.read();
+            if (done) break;
+            if (value) controller.enqueue(value);
+          }
+        }
+      },
+    });
+
+    // Pipe through hash transform for incremental digest verification
+    const { transform: hashTransform, getDigest } = createHashTransform('sha256');
+    const hashedStream = assembledStream.pipeThrough(hashTransform);
 
-    // Verify digest
-    const calculatedDigest = await this.calculateDigest(blobData);
+    // Consume stream to buffer for S3 upload
+    // (AWS SDK PutObjectCommand requires known content-length for streams;
+    //  the key win is chunks are NOT accumulated in memory during PATCH — they live in S3)
+    const blobData = await streamToBuffer(hashedStream);
+
+    // Verify digest before storing
+    const calculatedDigest = `sha256:${getDigest()}`;
     if (calculatedDigest !== digest) {
+      await this.cleanupUploadChunks(session);
+      this.uploadSessions.delete(uploadId);
       return {
         status: 400,
         headers: {},
@@ -659,19 +769,36 @@ export class OciRegistry extends BaseRegistry {
       };
     }
 
+    // Store verified blob
     await this.storage.putOciBlob(digest, blobData);
+
+    // Cleanup temp chunks and session
+    await this.cleanupUploadChunks(session);
     this.uploadSessions.delete(uploadId);
 
     return {
       status: 201,
       headers: {
-        'Location': `${this.basePath}/v2/${session.repository}/blobs/${digest}`,
+        'Location': `${this.basePath}/${session.repository}/blobs/${digest}`,
         'Docker-Content-Digest': digest,
       },
       body: null,
     };
   }
 
+  /**
+   * Delete all temp S3 chunk objects for an upload session.
+   */
+  private async cleanupUploadChunks(session: IUploadSession): Promise<void> {
+    for (const chunkPath of session.chunkPaths) {
+      try {
+        await this.storage.deleteObject(chunkPath);
+      } catch {
+        // Best-effort cleanup
+      }
+    }
+  }
+
   private async getUploadStatus(uploadId: string): Promise<IResponse> {
     const session = this.uploadSessions.get(uploadId);
     if (!session) {
@@ -685,7 +812,7 @@ export class OciRegistry extends BaseRegistry {
     return {
       status: 204,
       headers: {
-        'Location': `${this.basePath}/v2/${session.repository}/blobs/uploads/${uploadId}`,
+        'Location': `${this.basePath}/${session.repository}/blobs/uploads/${uploadId}`,
         'Range': session.totalSize > 0 ? `0-${session.totalSize - 1}` : '0-0',
         'Docker-Upload-UUID': uploadId,
       },
@@ -830,7 +957,7 @@ export class OciRegistry extends BaseRegistry {
    * Per OCI Distribution Spec, 401 responses MUST include WWW-Authenticate header.
    */
   private createUnauthorizedResponse(repository: string, action: string): IResponse {
-    const realm = this.ociTokens?.realm || `${this.basePath}/v2/token`;
+    const realm = this.ociTokens?.realm || `${this.basePath}/token`;
     const service = this.ociTokens?.service || 'registry';
     return {
       status: 401,
@@ -845,7 +972,7 @@ export class OciRegistry extends BaseRegistry {
    * Create an unauthorized HEAD response (no body per HTTP spec).
    */
   private createUnauthorizedHeadResponse(repository: string, action: string): IResponse {
-    const realm = this.ociTokens?.realm || `${this.basePath}/v2/token`;
+    const realm = this.ociTokens?.realm || `${this.basePath}/token`;
     const service = this.ociTokens?.service || 'registry';
     return {
       status: 401,
@@ -863,6 +990,8 @@ export class OciRegistry extends BaseRegistry {
 
       for (const [uploadId, session] of this.uploadSessions.entries()) {
         if (now.getTime() - session.lastActivity.getTime() > maxAge) {
+          // Clean up temp S3 chunks for stale sessions
+          this.cleanupUploadChunks(session).catch(() => {});
           this.uploadSessions.delete(uploadId);
         }
       }

package/ts/oci/classes.ociupstream.ts

@@ -24,13 +24,18 @@ export class OciUpstream extends BaseUpstream {
   /** Local registry base path for URL building */
   private readonly localBasePath: string;
 
+  /** API prefix for outbound OCI requests (default: /v2) */
+  private readonly apiPrefix: string;
+
   constructor(
     config: IProtocolUpstreamConfig,
     localBasePath: string = '/oci',
     logger?: plugins.smartlog.Smartlog,
+    apiPrefix: string = '/v2',
   ) {
     super(config, logger);
     this.localBasePath = localBasePath;
+    this.apiPrefix = apiPrefix;
   }
 
   /**
@@ -44,7 +49,7 @@ export class OciUpstream extends BaseUpstream {
       protocol: 'oci',
       resource: repository,
       resourceType: 'manifest',
-      path: `/v2/${repository}/manifests/${reference}`,
+      path: `${this.apiPrefix}/${repository}/manifests/${reference}`,
       method: 'GET',
       headers: {
         'accept': [
@@ -88,7 +93,7 @@ export class OciUpstream extends BaseUpstream {
       protocol: 'oci',
       resource: repository,
       resourceType: 'manifest',
-      path: `/v2/${repository}/manifests/${reference}`,
+      path: `${this.apiPrefix}/${repository}/manifests/${reference}`,
       method: 'HEAD',
       headers: {
         'accept': [
@@ -127,7 +132,7 @@ export class OciUpstream extends BaseUpstream {
       protocol: 'oci',
       resource: repository,
       resourceType: 'blob',
-      path: `/v2/${repository}/blobs/${digest}`,
+      path: `${this.apiPrefix}/${repository}/blobs/${digest}`,
       method: 'GET',
       headers: {
         'accept': 'application/octet-stream',
@@ -155,7 +160,7 @@ export class OciUpstream extends BaseUpstream {
       protocol: 'oci',
       resource: repository,
       resourceType: 'blob',
-      path: `/v2/${repository}/blobs/${digest}`,
+      path: `${this.apiPrefix}/${repository}/blobs/${digest}`,
       method: 'HEAD',
       headers: {},
       query: {},
@@ -189,7 +194,7 @@ export class OciUpstream extends BaseUpstream {
       protocol: 'oci',
       resource: repository,
       resourceType: 'tags',
-      path: `/v2/${repository}/tags/list`,
+      path: `${this.apiPrefix}/${repository}/tags/list`,
       method: 'GET',
       headers: {
         'accept': 'application/json',
@@ -215,7 +220,8 @@ export class OciUpstream extends BaseUpstream {
 
   /**
    * Override URL building for OCI-specific handling.
-   * OCI registries use /v2/ prefix and may require special handling for Docker Hub.
+   * OCI registries use a configurable API prefix (default /v2/) and may require
+   * special handling for Docker Hub.
    */
   protected buildUpstreamUrl(
     upstream: IUpstreamRegistryConfig,
@@ -228,16 +234,20 @@ export class OciUpstream extends BaseUpstream {
       baseUrl = baseUrl.slice(0, -1);
     }
 
+    // Use per-upstream apiPrefix if configured, otherwise use the instance default
+    const prefix = upstream.apiPrefix || this.apiPrefix;
+
     // Handle Docker Hub special case
     // Docker Hub uses registry-1.docker.io but library images need special handling
     if (baseUrl.includes('docker.io') || baseUrl.includes('registry-1.docker.io')) {
       // For library images (e.g., "nginx" -> "library/nginx")
-      const pathParts = context.path.match(/^\/v2\/([^\/]+)\/(.+)$/);
+      const escapedPrefix = prefix.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+      const pathParts = context.path.match(new RegExp(`^${escapedPrefix}\\/([^\\/]+)\\/(.+)$`));
       if (pathParts) {
         const [, repository, rest] = pathParts;
         // If repository doesn't contain a slash, it's a library image
         if (!repository.includes('/')) {
-          return `${baseUrl}/v2/library/${repository}/${rest}`;
+          return `${baseUrl}${prefix}/library/${repository}/${rest}`;
         }
       }
     }

package/ts/oci/interfaces.oci.ts

@@ -62,6 +62,10 @@ export interface IUploadSession {
   uploadId: string;
   repository: string;
   chunks: Buffer[];
+  /** S3 paths to temp chunk objects (streaming mode) */
+  chunkPaths: string[];
+  /** Index counter for naming temp chunk objects */
+  chunkIndex: number;
   totalSize: number;
   createdAt: Date;
   lastActivity: Date;